CISA warns of MinIO privilege escalation flaw exploited in attacks

On September 19, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) added a new high-severity vulnerability in MinIO to its catalog of security flaws exploited in the wild. The vulnerability tracked as CVE-2023-28434 has a CVSS score of 8.8 and allows an attacker to bypass metadata bucket name checking and insert an object into any bucket while processing PostPolicyBucket.

MinIO is a popular object storage solution that is widely used for machine learning, analytics, and application data workloads due to its compatibility with the Amazon S3 cloud storage service.

The CVE-2023-28434 vulnerability can be exploited by attackers who have credentials with arn:aws:s3:::* permission and enabled Console API access. This vulnerability affects MinIO versions before RELEASE.2023-03-20T20-16-18Z on Linux and MacOS platforms.

Security Joes, a reputable name in the cybersecurity space, unearthed an alarming incident in early September. The adversaries, with cunning precision, launched a modified version of the MinIO application, sinisterly dubbed “Evil MinIO”— and yes, it’s openly accessible on GitHub.

The anatomy of this attack is intriguing. The attackers initiated their campaign by hoodwinking a DevOPS engineer through a masterclass in social engineering, urging them to revert to a susceptible MinIO software version.

Post-downgrading, the black hats exploited the CVE-2023-28432 vulnerability, granting them remote access to the server’s intimate environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD variables.

Empowered with these administrative keys, they commandeered the MinIO admin console. Their next move was sinister in its simplicity: they twisted the software update URL into a malevolent one under their dominion.

In tandem, they harnessed the might of CVE-2023-28434, discreetly swapping the legitimate .go source code file for a corrupted counterpart.

But what does this malicious upgrade entail? It’s a spitting image of the authentic MinIO application but with a malicious twist. It embeds code allowing commands to be executed remotely via specific URLs. Security Joes observed the cyber perpetrators deploying this backdoor to run Bash commands and even download Python scripts.

(Security Joes)

The researchers note, “This endpoint functions as a built-in backdoor, granting unauthorized individuals the ability to execute commands on the host running the application.” To exacerbate the situation, the commands derive permissions from the user initiating the application. And, as was the case, if this user has root-level permissions, the implications can be catastrophic.

Despite its audacity, the Evil MinIO’s backdoor went unnoticed by engines on the Virus Total scanning platform, even a month after its unveiling.

VirusTotal report of the “evil” MinIO application found in a compromised machine during research. (Security Joes)

Alarmingly, Security Joes highlights a potential calamity in the making. Their data unveils a whopping 52,125 MinIO instances publicly exposed. And while 38% seem safeguarded with non-vulnerable software versions, the rest dangle as potential low-hanging fruits for cyber adversaries.

​With the flaw’s addition to the KEV catalog, CISA has ordered U.S. federal agencies to secure their systems against attacks within three weeks, until October 10th, to thwart attacks that might target their networks.

If you are using MinIO, it is important to upgrade to the latest version as soon as possible to mitigate the risk of Evil MinIO attacks.